Add CRL (revocation list) checking option to client cert check

[rainisto]

CRL checking is essential part of safe PKI.

Revocation list can be appended to end of pure-ftpd.pem file.

Use case: trusted CA generates server and client certs, and at some point CA revocates the client cert (server should start rejecting the client, which it currently doesn't do). This patch fixes a bug that revoked client cert could still login.

By adding -R:-C: options to chipherlist, it starts checking the CRL list which has been appended to end of pure-ftpd.pem

[jedisct1]

Can you update the documentation (README.TLS) as well as the example configuration file, and explain that this should be only used with internal CAs?

[jedisct1]

X509_VERIFY_PARAM_new() returns NULL on allocation failure.

X509_VERIFY_PARAM_set_flags() and SSL_CTX_set1_param() return 1 for success or 0 for failure.

All these functions can fail. Can we check for these conditions?

[rainisto]

NULL checking would be useful if memory allocated by OPENSSL_malloc would fail, so I'll add NULL checking to pull request tomorrow. Set flags always returns 1, so no need to check it.

[jedisct1]

Set flags always returns 1, so no need to check it.

It's OpenSSL. You can't expect internals not to change without prior notice, even in a minor revision.

[racke]

There is a typo in the README.TLS patch (genereted instead of generated).